I am not sure if it is the correct place to ask such a question.
One of my websites got malware. It is hosted on a 1&1 server and the website is developed in WordPress 3.3.1 (now upgraded to 3.5). A few things I noticed are:

A file named 1278bd2dc5f89296044af950a96cd9d0 automatically created in public root directory. If I delete it, it reappear in couple of minutes.

This file has IP address separted by a pipe sign. Every few minutes, a new IP address is added to the list.

Initialy, it also overwrite the index.php and wp-admin/admin.php files with lower permissions. I could not view what the have but I could only delete them.

I SSHed to server and see there are no unknown processes running.

I have one single FTP user. whose password I have changed a while ago.

Can anybody tell me? What and where should I check to stop this happening? Maybe it's remote process but how to track it down?

Those IP addresses look like the IP addresses of your visitors... msnbot, yandex and sucuri.net(?) - so I wouldn't post too many of those on here. So it looks like visitors to your site are perhaps triggering this script. What did this "malware" do? Did it attempt to download something to visitors?
–
w3dDec 21 '12 at 17:54

Initially, website was showing ACCESS DENIED error as malware replaced index.php with its own. but website look and work fine. In spite the fact that Google marked is as infected site every time it crawls.
–
FatalErrorDec 21 '12 at 18:01

The "best" malware will not interfere with the normal working of your site (so as not to alert you) but attempt to spread its malicious intent through your site visitors. By logging your site visitors to a publicly accessible file the malware knows where to go next - just my hypothesis.
–
w3dDec 21 '12 at 18:11

That is absolutely true, But how can we get rid of it? :-)
–
FatalErrorDec 21 '12 at 18:12